Windows 2008R2 RDS CAL Licenses when License server is down

Content

Grace period with failed/offline License server. 1

An example of RDS Client Access Licenses (CALs) and their expiry time: 3

Grace Period after installation with no License Server available. 4

What if there are  Insufficient Per User Licenses available. 5

Remote Desktop Administration & RDS Licenses. 5

Conclusions.. 5

FAQ.. 5


I found quite some people on Microsoft & Citrix Forums trying to find some clear answers related to Remote Desktop Licenses – the old Terminal Services licences – more specific for Windows 2008R2 and the licences that are required for the clients (Windows), the so called CALs, Client Access Licenses.

 

If you need all answers, then the Windows 2008R2 Remote Desktop Licenses Resource Kit book is the place for you.

Since you don’t have time to read all chapters of a book with 1000 pages, I summarized some topics, quoting some official Microsoft articles and adding some clarifications to it. And the end of the article you can find an FAQ which might answers some questions not covered in this article.

Grace period with failed/offline License server

 

There is no separate grace period provided for your client if your license server failed.

 

For each Per Device or Per User CAL that is issued, an expiration period is applied. This expiration period is a random number of days between 52 to 89 days after the license is issued. The terminal server always attempts to renew these CALs seven days before they expire. 

 

Beginning seven days before the license expires, when that license is presented at logon, the RD Session Host server (read: RDS/Terminal server the user is logging onto) will try to renew it for another period of 52 to 89 days.

 

If your Remote Desktop Session Host is not able to contact the RDS license server – the clients that are having valid license will not get connection denial (Read: wíll be able to logon) even if your license server is down for some time.

 

Only the clients that either have no license at all or have licenses past the expiry date, will face connection denial.

This is how Microsoft describes the different scenarios:

 

Users connect with expired license:

 

– If the client does not have a valid license or if the license it has is within seven days of expiring, then the RD Session Host server must attempt to obtain a license for the client at each login.

 

– If the server cannot find a license server to renew the license before it expires or no license is available, the license will expire.

 

What happens then depends on the circum­stances described in Table below Notice that there are circumstances in which an RD Session Host server in Per-User mode will permit the connection when an RD Session Host server in Per-Device mode will not. 

 

CIRCUMSTANCE

PER-USER

PER-DEVICE

The RD Session Host server has never   found a license server but is in its grace period.

The RD Session Host server will issue   a temporary license that lasts up to 90 days.

The RD Session Host server will issue   a temporary license that lasts up to 90 days.

The RD Session Host server has never   found a license server and is out of the grace period.

The RD Session Host server will not   permit the connection.

The RD Session Host server will not   permit the connection.

The RD Session Host server has found   a license server but the license server has no RDS CALs installed and is not   activated. The license server is in the grace period.

The client will be allowed access for   up to 120 days.

The client will be allowed access for   up to 120 days.

Session Host server has found a   license server but the license server has no RDS CALs installed. The license   server is out of its grace period.

The RD Session Host server will   permit the connection.

The RD Session Host server will not   permit the connection.

The RD Session Host server has found   a license server with RDS CALs available.

The RD Session Host server will give   the license server the name of the user attempting to connect to the RD   Session Host server. The license server will then contact AD DS to set a   property on that user’s account object to show that the person has used a   license.

The RD Session Host server will   contact the license server with the hardware ID (HWID) of the computer   attempting to connect to the RD Session Host server. The license server will   then assign an RDS CAL to that HWID and create a record of the assignment.

Source and credits: windows-server-2008-r2-remote-desktop-services-resource-kit

 

An example of RDS Client Access Licenses (CALs) and their expiry time:

 

CAL Usage Report

 

 

 

RD License Server:

SERVERNAME

 

 

Report Date:

Thursday, 21st of November 2013
19:41:03

 

CAL Availability

Report Scope:

Domain

 

Limited

 

 

 

 

CAL Version

CAL Type

Installed CALs

CALs in Use

Windows Server 2008

or Windows Server 2008 R2

Per User

7

250

 

 

 

 

 

 

 

 

Issued to User

CAL Version

 

Expires On

 

 

 

 

DOMAIN\user1

Windows Server 2008 or 2008 R2

Monday

9th of December  2013 15:24:48

DOMAIN\user2

Windows Server 2008 or 2008 R2

Tuesday

31st of December 2013 19:10:51

DOMAIN\user3

Windows Server 2008 or 2008 R2

Sunday

24st of December 2013 18:15:35

DOMAIN\user4

Windows Server 2008 or 2008 R2

Tuesday

26st of November 2013 18:10:53

DOMAIN\user5

Windows Server 2008 or 2008 R2

Tuesday

24st of December 2013 16:52:38

DOMAIN\user6

Windows Server 2008 or 2008 R2

Saturday

14th of December 2013 18:15:14

DOMAIN\user7

Windows Server 2008 or 2008 R2

Saturday

4th of January2014 18:10:04

Grace Period after OS installation with no License Server (yet) available.


There is a licensing grace period during which no license server is required, which starts the moment the Operating System is installed. After the grace period ends, clients must have a valid RDS CAL issued by a license server before they can log on to an RD Session Host server.

 

The length of the grace period is based on the operating system running on the RD Session Host server. For Windows 2003, 2003R2, Windows 2008, 2008R2, grace period is 120 days. For Windows 2000, grace period is 90 days.

 

The grace period (on the RDS/Terminal Server) ends after whichever of the following occurs first:

 

– A permanent RDS CAL is issued by a license server to a client connecting to the RD Session Host server.

– The number of days in the grace period is exceeded.

What if there are  Insufficient Per User Licenses available.


An RDS Per User CAL gives one user the right to access an RD Session Host server from an unlimited number of client computers or devices. RDS Per User CALs are not enforced by RD Licensing. As a result, client connections can occur regardless of the number of RDS Per User CALs installed on the license server.

This does not absolve administrators from Microsoft Software License Terms requirements to have a valid RDS Per User CAL for each user. Failure to have an RDS Per User CAL for each user, if Per User licensing mode is being used, is a violation of the license terms.

To ensure that you are in compliance with the license terms, make sure that you track the number of RDS Per User CALs being used in your organization and that you have a sufficient number of RDS Per User CALs installed on the license server to provide an RDS Per User CAL for each user that needs to connect to the RD Session Host server.

Remote Desktop Administration & RDS Licenses


Remote Desktop supports two concurrent connections to remotely administer a computer. You do not need a license server for these connections. For these connections you must use the /admin switch of the mstsc command to allow to connect without a license.

Conclusions

 

– If your RDS License Server goes down, most of your clients (let’s say 95%) will be able to connect to your RDS servers, since they have a valid license, that is still valid for several days/weeks.

If your RDS License Server goes down, users who never connected before to any of the RDS servers will NOT be able to logon.

– For failover reasons, you should have at least 2 or more RDS License servers.

– In practice, in an environment using Per User licenses, it does not matter if your RDS License server has 1 or 10.000 Licenses. Even with insufficient licenses your users will be granted logon. This is the same concept that was used in Windows server 2003. Microsoft however states in their End User License Agreement (EULA), that you are obliged to buy a license for every user connecting to your RDS servers.

 

FAQ

 

1- Should a company buy 2 x 500 licenses, just to be covered for 500 users in case of desaster recovery?

I don’t think so, and I would find it weird if your Microsoft representative would state otherwise. As long as your company is not half a year in "desaster recovery mode" situation, having temporarily officially less licenses than the required volume is not an issue.

 

2- Is there a chance some day, Microsoft guys appear at my door wanting to scan all pcs and servers for unlicensed software and unpaid licenses?

Yes, there is. Especially larger companies – ore than 500 users – run a decent risk. Microsoft would request access to your infrastructure to run some scripts to collect all license information. This will result in an amount you should pay for unpaid actively and retrospectively used software, together with a fine.
What Microsoft mostly does, is make an agreement, in which the company pays a certain price, and Microsoft officially blames noone, keeping the partnership active. This way no IT Manager gets blamed or fired. Microsoft wouldn’t want to piss off their client completely so they start to migrate to Red Hat Linux the next day, do they?

 

3- Should I test the theory and simulate a temporary outage of my RDS License server?

Of course, Desaster Recovery simulations are one of the most important concepts in keeping your company running.

4- I don’t have time, or my company never asked me to run RDS CAL reports. Can I safely do without?

According to the EULA, the company is responsible to keep an eye on the used licenses vs. the paid for licenses.
Since you are probably the techie, it could mean that if you didn’t inform your IT manager before the scan, maybe you could get the blame? Or not.

 

5- I still have questions that are not listed, and I cannot find the answers!

MS Licenses are a difficult matter that get more complicated every year. Let your official Microsoft representative answer the questions you have.
The Citrix forums are also a good place to get solid answers to your questions, and if it’s really urgent you could spend a few dollars to get a quick and exact answer on sites like www.expert-exchange.com. Some guys there have an IQ of over 150, and can memorize whole books.